Understanding and applying the 3-2-1 backup rule for data security

What is the 3-2-1 backup rule?

The 3-2-1 backup rule is part of a data protection or disaster recovery (DR) strategy that involves creating at least three copies of an organization’s data to be used as backups for cyber resilience and business continuity. Two copies are stored on-site (but on different media), and one is stored off-site.

Why perform this data isolation? Because a backup copy simply isn’t enough. Today, data is so important that organizations need to go to extra measures including air gapping, to ensure valuable data isn’t lost, stolen, encrypted, or otherwise rendered inaccessible or unusable. Organizations and their leaders don’t want, and frankly can’t afford, any single point of failure to get in the way of being able to access the data needed to run the business.

Why is 3-2-1 backup important?

Data loss can be catastrophic to organizations and can severely interrupt business operations.

The 3-2-1 backup rule is important because making a minimum of three copies of data is usually sufficient to successfully recover from incidents in which production data is lost, stolen, or compromised— whether through natural disasters, human errors, or cybercriminal activity.

The accelerating rise in ransomware underscores the importance of using the 3-2-1 backup rule. A recent survey found that 2022 attacks were 29% more numerous than 2021, and 34% higher than 2020. Ransomware attacks are on track to continue to rise. Moreover, 89% of all ransomware attacks now go beyond merely encrypting data to data exfiltration, leading to more cases of double extortion ransomware. Bad actors are increasingly intent on capturing all data, including backups, rendering traditional backup strategies useless.

Having two copies on two different on-premises types of media—for example, on both a storage appliance and a hard disk drive—strengthens disaster recovery postures based on the probability that at least one of the on-prem backups will survive an incident. Adding an off-site copy, whether tapes that are stored in a remote warehouse or data located online in the public cloud or a virtual air gap, adds a deeper layer of insurance that organizations have access to data even in circumstances where all on-site copies are destroyed.

What are the benefits and disadvantages of the 3-2-1 backup method?

When it comes to advantages, the 3-2-1 backup rule is proven, flexible, and effective.

Proven — Used for decades in businesses, both large and small, the 3-2-1 backup rule is an industry standard that provides a solid foundation on which to build a holistic data protection strategy.

Flexible — As storage media and data backup technologies and methods evolve, backup administrators can adapt this formula to suit changing strategic priorities.

Effective — The (at least) three copies provide necessary protection against most system failures— and an isolated off-site copy protects against both natural disasters and the rising threat of ransomware.

The chief disadvantages of the 3-2-1 rule are the following:

• Not for every business — The 3-2-1 backup rule doesn’t apply equally to every company in every backup situation. Rather, the 3-2-1 backup rule is intended to serve as a baseline, not a fixed rule that works for all organizations.
• Outpaced by evolving cyber threats — Cybercriminals and the technology they use are rapidly advancing, and the 3-2-1 backup rule may prove insufficient protection. For some organizations, it may be a bit outdated and not efficiently protect their data from more advanced data disasters or threats.
• Relatively expensive to implement — Storing multiple copies of data on different types of media and at different locations can incur additional costs, such as storage fees, the cost of purchasing additional hard drives, and the cost of backup software licenses. Plus, at most businesses, data is growing exponentially over time, so the raw storage costs alone can be prohibitive.

How to manage and implement 3-2-1 backup?

There are several steps in implementing and managing a 3-2-1 backup strategy.

• Choose a backup solution that supports the 3-2-1 model — When selecting a data backup solution, teams should check its ease of use, scalability, recovery times, system security, vendor reliability, and the quality of vendor support.
• Create a backup plan — A successful data backup plan identifies what data needs to be backed up and how often. Some data might not need to be backed up at all, but other business-critical data could require backing up every hour or even every minute.
• Set key recovery metrics — Decide upon recovery numbers. For example, the recovery point objective (RPO)—the maximum amount of downtime considered acceptable—and the recovery time objective (RTO), the maximum time it takes to get back to business as usual after a data incident—are important to establish upfront.
• Test the recovery plan — Regularly test the recovery plan to make sure it works and that teams can meet agreed-upon RPOs and RTOs.
• Act when necessary — If production data is lost, stolen, or corrupted, and therefore unavailable, initially attempt to recover it from onsite backup. If that copy is not accessible or is unusable, try the other onsite backup copy (which is stored on a different media or device). If that is also missing or damaged, recover data from the off-site or air-gapped location.
• Repeat as often as necessary — Once teams have recovered and restored data, begin the 3-2-1 backup process again, constantly improving it for efficiency and effectiveness.

How has the 3-2-1 backup approach evolved?

Cybercrime hasn’t stood still over the decades that the 3-2-1 data backup rule has been in use. As technologies and processes have evolved, so have cybercriminals’ tactics and ways to prevent data from being lost, stolen, or corrupted. Because of this, the 3-2-1 backup rule has evolved into several different flavors that businesses can choose from to bolster their DR and data protection strategies. Cloud, in particular, has influenced this evolution.

The 3-2-1-1-0 approach

This approach depends on adding one more copy of data into the mix. The second “1” refers to a data backup that is air-gapped or immutable. (Air-gapped means the backup cannot be accessed by any network; immutable means the data cannot be modified or changed.)

The final “0” means that there are zero errors in the backups. Teams ensure this by monitoring various storage devices and media, resolving any issues they find, and doing regular testing of backup-and-restore processes.

The 4-3-2 approach

Organizations that choose this strategy increase the overall number of copies they make of their data, plus they have some stricter parameters to follow when it comes to types of storage.

The “4” means making four copies of data. The “3” refers to the fact that teams store them in three locations (on-premises, off-site with a provider such as Iron Mountain, and in the cloud with a cloud service provider). The “2” means that of the three locations, two are off-site, which can include an air gap.

Why is it important for businesses to have off-site and onsite backup strategies?

When planning backup and recovery strategies, it’s important to have both off-site and onsite backup because organizations can’t afford a single point of failure. For example, if the primary backup of production data is local and onsite, teams could lose access to both primary and backup copies in cases of a flood, hurricane, power failure, or other natural or manmade disaster. Following the 3-2-1 backup rule, however, means having another copy of data off-site that can be recovered even if the two onsite copies are unusable.

Likewise, if teams depend only on off-site backup— either on-premises or in the cloud—they run some risks. Even off-site storage facilities are vulnerable to natural disasters wherever they are located. And for cloud storage, if a cyberattack succeeds in penetrating the cloud, organizations could lose data, unless they have another copy stored onsite. That’s another reason to follow the 3-2-1 backup rule (or one of its flavors).

Cohesity and 3-2-1 backup

The growing number and severity of cyberattacks are driving organizations to fortify their IT systems and data. Many follow some form of the time-honored 3-2-1 backup rule. Organizations investing in the Cohesity data security and data management platform have a head start on the 3-2-1 rule and the various industry-leading frameworks, such as the NIST Security Framework.

Cohesity Data Cloud is a purpose-built backup solution for 3-2-1, 4-3-2, and 3-2-1-1-0 strategies alike with defense-in-depth capabilities that include:

• Immutable snapshots — A gold copy of backup data that is never exposed nor mounted externally.
• Encryption — Data encrypted at-rest and in-flight.
• Data isolation — Isolation of data to keep it safe from cyber and internal threats.

Isolation through air gapping requires organizations to keep at least one copy of their data physically and electronically isolated. However, this doesn’t replace existing backup and recovery or DR solutions but provides an extra layer of protection. And although highly secure, this approach does not support RTO and RPO goals.

As a result, backup data is stored in the cloud or another location with a temporary and highly secure connection. This provides a tamper-resistant environment protecting against ransomware while  supporting the organization’s RTO and RPO objectives.

Balancing the need for minimizing RTO and RPO and data isolation is the best way to achieve cyber resilience that meets organizational objectives. Cohesity offers new data isolation techniques that integrate with backup and recovery processes to deliver stronger data protection and security strategies, reducing the risk of disruption to business continuity.